Aspcms This shooting range ...

This site source code is I play Webug collection of shooting range, but because of my own level of food, not build success =! Then, I also lazy, give me a friend, on his public network server to catch this station, so that I play. Because last time my friend shooting range happened to hang black page = =! I can only play the whole code = =!

Open the shooting range, we see this is a aspcms source, this is not nonsense = =! It was Aspcms's shooting range, and you? It's a white-box test, but we've got to pretend like we don't know anything, well, that's it.

We know this is a aspcms source, then go directly backstage, try the default password first.

My friend didn't even delete the installed TXT = =! Directly save me to turn my own folder ....

Whatever it is, try it first.

Well, deliberately to find me difficult ah, not to get a default password = =!

Forget it, I'll try the regular weak password, after all, this is the common problem of administrators.

OK, admin admin, admin admin123, admin admin888, admin 123456, etc., have tried all over, OK, weak password failed.

But we found a characteristic, that is ...

The verification code does not change, it means that the backstage can be exploded, but I am now blasting? That's certainly not the way it is available.

Then I went back to the front desk, probably to the site to see it again, because I have not played this source, so first see what obvious loopholes did not, of course, obviously, I did not see, saw a message board, estimated can XSS it.

Generally in the infiltration, we know that the site of the CMS, will go to check, this CMS has a history of loopholes, and then the structure of the use, then I will go to check.

My lazy Baidu, are directly to the dark cloud search,,, see there are five, then a structure using the next try Bai.

First, background backup logic error led to be injected a word trojan, the amount, said so advanced, not through the message board inserted a sentence, and the message board that database is exactly the post-stamp of ASP.

First look at the inserted posture, do not plug the wrong = =! Or it's embarrassing.

Open it!

I'm stuck! And then look at the effect.

Then go to the chopper and look at it repeatedly.

500, then no more, try the other loopholes.

Second, there is a SQL injection vulnerability in ASPCMS to get sensitive information, which, yes, can be pulled into SQL injection.

Look at the details = =!

Then apply it directly and look at the.

Directly apply positive error, the directory is not right, I changed the directory to change, and then enter a look, my French squid!!! What a ghost = =!

Then the interface is blank ...

I'll take a closer look at this loophole, MD, blinds ....

No, go on, next ...

Third, aspcms any user password reset, reset a luan son ah, this source code on a background can login ...

Continue to give up,,,

Fourth, ASPCMS message Board plug the Horse This is not the same as the first, brush points of shame ah ...

The last one, aspcms background file no authentication injection + cookie spoofing, see this generic can ah, to see the details.

This looks good, I will run Sqlmap directly, after all lazy to engage, boring.

Because the Cloud Vulnerability Library is 1, mine is 2, so first cut, hint.

Then run Sqlmap and run.

You can be sure it's an injection, and it's an Access database, so keep running.

Well, because of the particularity of the table name of the database, I still do it by hand = =! After all, I know his CMS, the equivalent of a white box.

Manual injection begins ...

24 fields, that would be a joint query.

Don't ask me to know the name of the table, this question to see now, do not know, it is very that.

Continue to check the data.

Well, no, this is definitely not admin account = =!

The miscellaneous injection of this came out = =! Then construct the following statement to check ...

Well, this is right, to check, MD5 is a few.

I wipe, pay a luan son Ah! I'll switch to a MD5 platform.

= =! The original or weak password = =! But then again, on this weak password, but also the bashful charge?

Advanced Backstage again ...

Finally came in, not easy ah ...

Take the process of Webshell, I will not record, anyway, I have a pen, put all the posture has been tried one time, have not succeeded, can not, IIS 7.5 server ... Give up, do not have to engage. To eat,,,,

There is no parsing vulnerability, the upload file is renamed directly, and there is a problem with the database. Grab the bag, there is no path, the path to add their own direct detonation, some online writing posture, tried again, did not succeed ....

I think I am too much food, summed up.

--------------------------------------------------------------------------------------------------------------- --------

Continued more, I went to ask my friend, you that server miscellaneous things, he said he server, do not know that ZZ uploaded a zombie horse, harm his server problem, but another horse can do, so I went on.

First enter the interface style.

Then click Add Template and Write a word.

And then look under, executed No.

Yes, on the chopper!!!

Get the shell, the last step, into the background, delete a word, after all, I am a white hat! # (Squint and laugh ...) ）

Aspcms This shooting range ...